Books

Friday, 05 February 2010

How to create strong passwords

If you want to avoid the embarrassment of finding your password on the Worst Offenders' List but struggle to come up with a strong, memorable password on your own, try a password creator (generator). Several freeware are available for PC and Mac. Use this quick summary and analysis to choose one that's right for you.

pwgen for Mac OS

pwgen is a graphical user interface for the Open BSD command line utility, pwgen. You can customize the password you generate to include all the "complexity" elements of a strong password (Length, Capitals, numbers, special characters) and you can also exclude characters that may look alike when certain fonts are used (O and 0, B and 8).

RPG for Mac OS

Random Password Generator (RPG) offers the same features as pwgen but also allows you to create password schemas or "environmental constraints". For example, you can apply filters to limit the characters used by RPG to generate hexadecimal passwords for WLAN security, or you can create filters to avoid ambiguous characters (as does pwgen).

Password Assistant for Mac OS

Password Assistant (PA) has the same features as pwgen and RPG. This program lets you use the built-in password assistant dialog in Mac OS without having to flog through System preferences and the Accounts preference panes to get to it. PA gives you access to the Mac OS a "memorable" option that lets you generate passwords that are composed from random words, symbols and numbers.

Password Generator XP

This utility offers strong, complex, password creation capabilities for Windows 7 and XP. In addition to the obligatory complexity generation features, Password Generator XP has a nifty vowel insertion algorithm that lets you generate passwords you can "pronounce". It also gives you choices of passwords each time you select criteria and run the program.

net user command line utility (Windows)

Throwback Windows users can open a CMD prompt, type net user username /random and generate a random password according to the local security policy enforced on your PC. Effective if not glamorous or particularly creative.

Parting remarks

I'm not endorsing any particular product here, nor am I suggesting you MUST use a password generator. If none of the utilities I mentioned here strike your fancy, you can find dozens of software to generate or manage passwords by searching. You can also find web pages that offer scripts to generate passwords for you that satisfy typical minimum password complexity criteria. Remember to download from a source you trust, and verify with your own antimalware software that the utility you choose is legitware. Most importantly, however... use long, complex passwords. Don't use the same password everywhere. Generate new passwords reasonably frequently.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Thanks for this pointer. I will download the script and give it a try.

You raise a good point about online password testing tools: a test script or application hosted on a web server does create a possibility of a man in the middle attack, where the password you are composing or checking is intercepted or captured by a bad guy. To minimize this, I suggest that you use such password generators to compose a password of desired composition and length, but then change the suggested password a bit before you actually put it to use. If you are really concerned, use a client side password generator such as the ones I've mentioned.

It has at least three advantages:
- Customizable (length, character set)
- It is all client-side, so you don't have to worry (that much) about MITM attacks
- Given that it is fully client side, you can do a code review instead of placing your trust in some server

Thanks for this observation. Everyone is capable of remembering passwords, the trick is to learn to compose passwords you alone will remember. Alternatively, create one very strong password. Use a random password generator to create passwords for all your accounts, and store these in a password vault or safe (many such applications exist).